During message transmission, messages may be changed by an attacker. To avoid such an attack, there exist different approaches. One of these approaches is a method for constructing message authentication codes (MACs) using block ciphers and is known as “CMAC”.
The MAC on a message is constructed by splitting it into blocks of size equal to the blocksize of the underlying cipher (e.g. 128 bits in the case of AES), CBC-encrypting the message (with padding in the last block if required), and retaining (all or part of) the result of the last block encryption as the computed MAC value. In the event that a MAC shorter than the cipher blocksize is to be used, the computed MAC may be truncated by retaining the required number of most significant bits. A MAC algorithm, sometimes called a keyed (cryptographic) hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
Differential power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamper-resistant “black box”, or integrated circuit). The attack can non-invasively extract cryptographic keys and other secret information from the device. To prevent certain cryptographic attacks, some MAC construction algorithms may re-encrypt the last block of the message with a further key. Nevertheless, such an encrypted message authentication code remains vulnerable to DPA attacks since the first-block-input and last-block-output vectors are still visible.